Security Audit

sundial-org/awesome-openclaw-skills:skills/agentmail

github.com/sundial-org/awesome-openclaw-skills

AI SkillCommit 6d998e005da6

CRITICAL

Scanned 27 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

sundial-org/awesome-openclaw-skills:skills/agentmail received a trust score of 0/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 7 findings: 2 critical, 3 high, 0 medium, and 1 low severity. Key findings include System prompt override / policy bypass, Sensitive path access: AI agent config, Direct LLM input from untrusted email content (Prompt Injection).

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 53/100, indicating areas for improvement.

Last analyzed on March 3, 2026 (commit 6d998e00). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

70%

Static Code Analysis

53%

Dependency Graph

100%

LLM Behavioral Safety

70%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

3 findings

Shell Execution

4 findings

Dynamic Code

1 finding

Excessive Permissions

5 findings

Security Findings7

Severity	Finding	Layer	Location
CRITICAL	System prompt override / policy bypass Ignore/disregard previous instructions pattern Remove or rewrite any instructions that attempt to override system behavior. Legitimate skills should not contain phrases like 'ignore previous instructions' or 'new system prompt'.	Manifest	skills/agentmail/SKILL.md:85
CRITICAL	Direct LLM input from untrusted email content (Prompt Injection) The skill's primary function involves processing incoming emails. The documentation explicitly warns that 'Incoming email webhooks expose a prompt injection vector' because email content (subject and body) can be directly passed to the agent's LLM via the 'wake' action. An attacker sending a malicious email could inject instructions to manipulate the agent's behavior, potentially leading to data exfiltration, unauthorized actions, or privilege escalation. The skill provides a 'Clawdbot webhook transform' as a recommended solution to filter untrusted senders, but without this filter, the vulnerability exists. Implement the recommended `Clawdbot webhook transform` with an allowlist for trusted senders, or use an isolated session for untrusted emails. Additionally, ensure that any LLM interactions with email content are properly sandboxed, use untrusted input markers, and that the agent's system prompts are designed to treat email requests as suggestions rather than direct commands.	LLM	SKILL.md:78
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/agentmail/SKILL.md:93
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/agentmail/SKILL.md:123
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/agentmail/SKILL.md:128
LOW	Test server binds to all network interfaces (0.0.0.0) The `start_test_server` function in `scripts/setup_webhook.py` binds the Flask development server to `0.0.0.0`. While this is common for local development and testing, it means the server is accessible from all network interfaces. If this script were inadvertently run in a production environment or on a machine exposed to the internet without proper firewall rules, it could expose the test server to unauthorized access. The script's purpose is for local testing, and it explicitly mentions `ngrok` for external access, mitigating the immediate risk. For production or non-local testing, bind to `127.0.0.1` (localhost) or a specific internal IP address. If external access is required, ensure proper authentication, authorization, and network segmentation are in place, or use secure tunneling solutions like `ngrok` as suggested.	Static	scripts/setup_webhook.py:180
INFO	Unpinned Python dependencies The installation instructions (`pip install agentmail python-dotenv` and `pip install flask`) do not specify exact versions for the Python packages. This can lead to non-deterministic builds, where installing at different times might pull different versions of dependencies, potentially introducing breaking changes or security vulnerabilities from newer versions. Pin all dependencies to exact versions using a `requirements.txt` file (e.g., `agentmail==1.0.0`, `python-dotenv==0.19.0`). Use `pip freeze > requirements.txt` to generate, and `pip install -r requirements.txt` to install.	Static	SKILL.md:30

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/69f01b6a6ce962f3.svg)](https://skillshield.io/report/69f01b6a6ce962f3)